CVE-2023-36665 - Fix not reflected in dist version

[wakester25]

protobuf.js version: 7.2.4

Expected Behavior : Fix introduced for CVE-2023-36665 (https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4) would also be reflected in the distribution version of the code as well

Actual Behavior : Fix does not seem to be rolled out to distribution version. Distribution version seems to be last compiled on September 9 2022 - https://cdn.jsdelivr.net/npm/protobufjs@7.2.4/dist/protobuf.js

Code snippet from https://cdn.jsdelivr.net/npm/protobufjs@7.2.4/dist/protobuf.js

Would expect below to match e66379f

util.setProperty = function setProperty(dst, path, value) {
    function setProp(dst, path, value) {
        var part = path.shift();
        if (part === "__proto__") {
          return dst;
        }
        if (path.length > 0) {

[Fotiman]

Following. Scanning tools still detect protobufjs 7.2.4 as containing CVE-2023-36665 because the fix for this vulnerability was only applied to the sources (util.js) in version 7.2.4, and was not fully released on dist files, so the risk exists in the 7.2.4 version.

[CalebBoLiuPriceline]

Any update?

[albertosaito]

BTW, I'm still getting CVE-2023-36665 as a security vulnerability from protobufjs@6.11.4, even when I see the code change in the dist files: https://cdn.jsdelivr.net/npm/protobufjs@6.11.4/dist/protobuf.js

Furthermore, the affected version range here https://nvd.nist.gov/vuln/detail/CVE-2023-36665 show as if everything below 7.2.4 is vulnerable.

[alexander-fenster]

That's weird, because the dist files are supposed to be rebuilt in the prepublish step. I'm looking at what might be wrong here.

In any case, in the latest versions (7.2.5 and 6.11.4) the dist files are fixed, I checked both of them.

The GitHub advisory GHSA-h755-8qp9-cq85 was updated to list 6.11.4 as fixed. If anyone knows how to update the advisory at https://nvd.nist.gov/vuln/detail/CVE-2023-36665 accordingly, please let me know, or just go ahead and do it.

[Fotiman]

I'm still getting CVE-2023-36665 detected in 7.2.5.

[wakester25]

I believe CVE’s can be updated through here : https://www.cve.org/ReportRequest/ReportRequestForNonCNAs

I won’t be able to get the update in till next mid week. If no one has done it by then I will go ahead and request the update.

[wakester25]

Accidentally closed with comment. Reopening till CVE is updated.

[imdangodaane]

Is there any news on this? I'm still getting report from scanning tools 😭

[wakester25]

CVE has been updated to to correctly identify 7.2.5 as the fixed version : https://nvd.nist.gov/vuln/detail/CVE-2023-36665. Marking this issue as closed.